[baileypumfleet]

Hey - one of the cofounders here.

That’s a great question. When you connect your calendar with most scheduling apps, there’s really nothing stopping most of them from doing malicious things behind the scenes with your data. You don’t really know if they’re just querying your availability, or actually pulling specific event data.

With Cal.com, that’s different. Since day one, I built it to only check free/busy times and that hasn’t changed. Also, as it’s open source, you can literally go on GitHub and verify what I’m saying, as well as comb through every line of code that touches your calendar.

It’s the same principle that keeps something like the Linux kernel free of malicious software. There’s enough contributors from around the world that audit and review the code, that you can ultimately trust that there’s nothing malicious going on behind the scenes.

Also just to clarify, with how most major providers’ permission systems work, it’s scoped that we can only access your calendar data, and not contents of your email and such.

[fencepost]

I'm not even so much concerned with services like yours doing something malicious behind the scenes - I'm much more concerned about them being hacked/compromised in such a way that saved tokens could be used by an attacker. Maybe I'm wrong, but I suspect that there are services that get granted calendar, email, file access that could be considered much 'squishier' targets than the underlying services they connect to.

So, if you're getting the minimum viable amount of access to someone's calendar, what's the worst that could be done by an attacker with persistent access to your backend systems, and how does it vary between different services you connect to (e.g. Google, M365, Outlook.com, Zoom, etc.)? This isn't even really about your software, more about "how restricted do the underlying services allow my access to be?"